In communicating data across a network, data is packaged according to defined protocol semantics. In the case of TCP/IP protocol the data to be sent is prepared by attaching an IP header containing the source and destination IP addresses among other header information needed for routing purposes. Depending on the protocol used by a network application, additional headers, such as TCP headers, are attached to packets leaving the network. Any packet leaving or entering the networked system consists of headers and payload data. The payload data in a packet can be of zero length.
Network data leaving and entering an operating system traverses several entities prior to being delivered to a network (send operation) or received from the network. Some of these entities have the ability to modify original data. Depending on the logical positioning of the entity, partial or complete modifications can occur, in both headers and data, so that upper or lower entities may be unaware of the changes introduced.
In view of the possibility that malicious software can operate within one or more of these entities of a computing device and modify data sent to, or received from, a network as it traverses the operating system kernel and user mode spaces, it becomes beneficial to verify that the data sent to or received from a user mode application is the same as the data received by or sent to the network card.
As it relates to computer communications, data traversing the operating system kernel to and from user mode is trusted. However, because there are points in between where malware or other software can intercept and modify the data, for example, TCP/IP stenography and other methods for covertly communicating using legitimate communications as a decoy, there is a need for developing methods and systems for detecting and preventing malicious data modification across the operating system kernel and user mode spaces.